VPC sharing allows multiple Alibaba Cloud accounts to create cloud resources, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB RDS instances, in a shared and centrally-managed virtual private cloud (VPC). Shared VPCs are based on the resource sharing mechanism. A VPC owner can share vSwitches with other Alibaba Cloud accounts that belong to the same Alibaba Cloud enterprise account.

Feature overview

A VPC owner can share non-default vSwitches with other Alibaba Cloud accounts (participants). The resource owner and participants must belong to the same resource directory. A resource directory allows you to create a hierarchical map of relations among resources and facilitates resource management. For more information, see Resource Sharing overview.

After a vSwitch is shared, participants can use the vSwitch without confirmation by default. Participants can create cloud resources such as ECS, SLB, and ApsaraDB RDS instances, in the shared vSwitch. Instances created by the resource owner and participants in the same VPC can communicate with each other within the VPC by default. Shared VPC diagram

Feature and supported regions

The following table lists the regions that support the VPC sharing feature.

Area Supported region
Asia-Pacific China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), china (Chengdu), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), and Indonesia (Jakarta)
Europe and Americas US (Silicon Valley), US (Virginia), Germany (Frankfurt), and UK (London)
Middle East and India India (Mumbai) and UAE (Dubai)

Permissions of the resource owner and participants

After a resource owner shares a vSwitch with a participant, the resource owner and participant have the following permissions on the shared vSwitch and the resources in the shared vSwitch:

Role Supported operation Unsupported operation
Resource owner
  • Create, view, modify, and delete resources that belong to the resource owner in the shared vSwitch.
  • View the following attributes of resources created by the participant in the shared vSwitch:
    • Instance ID.
    • Private IP address.
    • Resource owner account.
Modify or delete resources created by the participant in the shared vSwitch.
Participant If the vSwitch is shared, the participant can create, modify, or delete cloud resources, such as ECS, SLB, and ApsaraDB RDS instances, in the shared vSwitch. If the vSwitch is shared, the participant cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and participants) in the shared vSwitch.
If the vSwitch is no longer shared, the participant can view, use, modify, and delete the resources that are created by the participant in the vSwitch. If the vSwitch is no longer shared, the participant cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network ACLs. In addition, the participant cannot create resources in the vSwitch.
The resource owner and participant have the following permissions on other network resources:
Network resource Resource owner operation Participant operation
VPC All operation permissions. View the VPC to which the shared vSwitch belongs.
vSwitches All operation permissions.
Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the participant. In addition, the resources created by the resource owner and participant in the vSwitch must be deleted.
  • View the shared vSwitch.
  • Create, modify, and delete cloud resources, such as ECS, ApsaraDB RDS, and SLB instances, in the shared vSwitch.
Route tables All operation permissions. View route tables and route entries that are associated with the shared vSwitch.
Network ACLs All operation permissions. View network ACLs that are associated with the shared vSwitch.
Private CIDR blocks View private CIDR blocks of the VPC and all vSwitches that belong to the VPC. View the private CIDR block of the shared vSwitch.
Flow logs
  • Create flow logs for a specified VPC or vSwitch. The system records traffic information about elastic network interfaces (ENIs) of the vSwitch that belongs to the participant.
  • Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner.
No operation permission.
NAT gateways All operation permissions.
Note
  • The resources created by the resource owner and participant in the vSwitch can communicate with the Internet through NAT gateways.
  • NAT gateways can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner.
No operation permission.
VPN gateways All operation permissions.
Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPN gateways.
No operation permission.
Cloud Enterprise Network (CEN) instances All operation permissions.
Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through CEN instances.
No operation permission.
VPC peering connections All operation permissions.
Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPC peering connections.
No operation permission.
Labels Resource sharing does not affect the tags added to resources by the resource owner. When the vSwitch is shared, the resource owner and participant can add tags to their own resources. The participant cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the participant. The tags added by the resource owner and participant do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the participant in the vSwitch.

Billing

In a shared VPC, each participant pays for his or her own instances such as ECS, SLB, and ApsaraDB RDS instances. However, fees of gateway resources such as NAT gateways, VPN gateways, and public bandwidth are paid by the resource owner.

Limits

The following table lists the quota limits on a shared VPC.
Note Shared VPCs also follow the usage and quota limits of standard VPCs. The quota limits on a shared VPC are not affected by the number of participants. For more information, see Limits and quotas.
Item Limit Adjustable
Number of DHCP options sets that can be created with each account 10 N/A
Number of VPCs that can be associated with each DHCP options set 10
Number of DHCP options sets that can be associated with each VPC 1
Number of domain names that can be specified in each DHCP options set 1
Number of Domain Name System (DNS) server IP addresses that can be specified in each DHCP options set 4
VPCs that cannot be associated with DHCP options sets VPCs that contain ECS instances of the following instance families:

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see Advanced VPC features.

Upgrade or release an Elastic Compute Service (ECS) instance that does not support advanced network features.

Enable VPC sharing

For more information, see Enable VPC sharing.